dev-sec · aisbergg · Mar 17, 2022
diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
@@ -130,6 +130,9 @@ We know that this is the case on Raspberry Pi.
 - `os_auth_pam_sssd_enable`
   - Default: `false` (on RHEL8/CentOS8/Fedora `true`)
   - Description: activate PAM auth support for sssd
+- `os_auth_pam_winbind_enable`
+  - Default: `false`
+  - Description: activate PAM auth support for winbind
 - `os_security_users_allow`
   - Default: `[]`
   - Description: list of things, that a user is allowed to do. May contain `change_user`.

diff --git a/roles/os_hardening/tasks/pam_rhel.yml b/roles/os_hardening/tasks/pam_rhel.yml
@@ -6,6 +6,13 @@
   when:
     - os_auth_pam_sssd_enable | bool
 
+- name: Install samba-winbind-modules
+  yum:
+    name: samba-winbind-modules
+    state: 'present'
+  when:
+    - os_auth_pam_winbind_enable | bool
+
 - name: Configure passwdqc and faillock via central system-auth config
   template:
     src: 'etc/pam.d/rhel_auth.j2'

diff --git a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
@@ -16,6 +16,10 @@ auth        sufficient    pam_unix.so nullok try_first_pass
 auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
 auth        sufficient    pam_sss.so forward_pass
 {% endif %}
+{% if (os_auth_pam_winbind_enable | bool) %}
+auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
+auth        sufficient    pam_winbind.so use_first_pass
+{% endif %}
 {% if os_auth_retries > 0 %}
 auth        required      pam_faillock.so authfail audit even_deny_root deny={{ os_auth_retries }} unlock_time={{ os_auth_lockout_time }}
 {% endif %}
@@ -30,6 +34,9 @@ account     sufficient    pam_succeed_if.so uid < 1000 quiet
 {% if (os_auth_pam_sssd_enable | bool) %}
 account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 {% endif %}
+{% if (os_auth_pam_winbind_enable | bool) %}
+account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
+{% endif %}
 account     required      pam_permit.so
 
 {% if (os_auth_pam_passwdqc_enable | bool) %}
@@ -42,6 +49,9 @@ password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_au
 {% if (os_auth_pam_sssd_enable | bool) %}
 password    sufficient    pam_sss.so use_authtok
 {% endif %}
+{% if (os_auth_pam_winbind_enable | bool) %}
+password    sufficient    pam_winbind.so use_authtok
+{% endif %}
 password    required      pam_deny.so
 
 session     optional      pam_keyinit.so revoke
@@ -52,3 +62,6 @@ session     required      pam_unix.so
 {% if (os_auth_pam_sssd_enable | bool) %}
 session     optional      pam_sss.so
 {% endif %}
+{% if (os_auth_pam_winbind_enable | bool) %}
+session     optional      pam_winbind.so
+{% endif %}
diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml
@@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
 os_auth_sub_gid_count: 65536
 
 os_auth_pam_sssd_enable: false
+os_auth_pam_winbind_enable: false
 
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail

diff --git a/roles/os_hardening/vars/Fedora.yml b/roles/os_hardening/vars/Fedora.yml
@@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
 os_auth_sub_gid_count: 65536
 
 os_auth_pam_sssd_enable: true
+os_auth_pam_winbind_enable: false
 
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail

diff --git a/roles/os_hardening/vars/RedHat.yml b/roles/os_hardening/vars/RedHat.yml
@@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
 os_auth_sub_gid_count: 65536
 
 os_auth_pam_sssd_enable: false
+os_auth_pam_winbind_enable: false
 
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail

diff --git a/roles/os_hardening/vars/RedHat_7.yml b/roles/os_hardening/vars/RedHat_7.yml
@@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
 os_auth_sub_gid_count: 65536
 
 os_auth_pam_sssd_enable: false
+os_auth_pam_winbind_enable: false
 
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail

diff --git a/roles/os_hardening/vars/RedHat_8.yml b/roles/os_hardening/vars/RedHat_8.yml
@@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
 os_auth_sub_gid_count: 65536
 
 os_auth_pam_sssd_enable: true
+os_auth_pam_winbind_enable: false
 
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail

diff --git a/roles/os_hardening/vars/Rocky_8.yml b/roles/os_hardening/vars/Rocky_8.yml
@@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
 os_auth_sub_gid_count: 65536
 
 os_auth_pam_sssd_enable: true
+os_auth_pam_winbind_enable: false
 
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail